In order to bring the problem of extracting unpacking code into the realm of decidability, MyCERT had been working on automating the unpacking script in an assembly-like language. The script, called OllyScript, can be used to unpack malicious worm Win32/Conficker B and Win32/Conficker C. OllyScript is the scripting language plugin for OllyDbg. It simulates user’s debugging session within OllyDbg.

OllyScript is important when dealing with PE packer; it can take hours to unpack a single protector where users no need to do it too often. The unpacked code extraction algorithm as URL [https://blog.honeynet.org.my/mirror/Unpack_ConfickerBC.txt] operates by identifying the version of Conficker worm of an input binary executable file. An automating uncompressing code is executed to unpack the obfuscation code.

The instruction on how to run the “Unpack_ConfickerBC.txt” using OllyDBG please refer to previous post [https://blog.honeynet.org.my/?p=81].